Microsoft Security Risk Detection (MSRD) is a Microsoft’s Dynamic Security Application Testing (DAST) unique solution that makes two high-quality testing security techniques called Fuzzing and Web Scanning.
What is fuzzing and web scanning:
- Fuzzing is a highly effective negative testing technique used to find security vulnerabilities in software products (in code). It consists of repeatedly feeding modified, or fuzzed, data to software inputs to trigger hangs, exceptions, and crashes — fault conditions that could be leveraged by an attacker to disrupt or take control of applications and services.
- Web scanning is the automated process of identifying the reachable attack surface of a running web site or service and then inspecting the identified surface for security vulnerabilities and other issues. Any issues that are found are then classified for type and severity and reported back to the user along with recommended mitigations or countermeasures.
Microsoft Security Risk Detection is being used internally at Microsoft over the last 15 years, and the same service is offered to help customers to quickly adopt practices and technology to identify critical bugs and make sure their applications are secured.
How does Microsoft Security Risk Detection work?
The Microsoft Security Risk Detection work by following the 5 steps and phases below:
- Step 1: You log into a secure web portal. Security Risk Detection provides you a Virtual Machine (VM) to upload the target binaries of the software you want to test, along with a “test driver” program that runs the scenario to be tested, and a set of sample input files called “seed files” to use as a starting point for fuzzing.
- Step 2: Security Risk Detection validates the job, minimizes the seed files, and then clones the test VM (known as customer VM) dozens of times based on workload.
- Step 3: Multiple fuzzers run for multiple days: the target application is executed roughly 8,000,000 times, each time with a slightly modified input file that’s intended to crash the target.
- Step 4: Any time an execution fails, the offending file is sent to the repro VM to ensure the bug is reproducible.
- Step 5: In the last step, the bug(s) that reproducible (along with the file, stack trace, and other debug info) are available in the portal and API in real-time.
In this article, I will show you how to get started with Web Scanning in Microsoft Security Risk Detection. For more information about Fuzzing which is more on the developer side, please check the following document.
MSRD for Web Applications
Microsoft Security Risk Detection for Web Applications covers a wide known vulnerabilities list such as:
- Injection: SQL – Command – LDAP – XPath – XML External Entity Attack (XXE) – Server Side Include (SSI) – Expression Language
- Authentication: Insecure channel – HTTPS Downgrade – Credentials stored in clear text in a cookie – Session fixation, strength, upgrade checks
- HTTP Protocol: Response Splitting – HTTP Strict Transport Security (HSTS) – HTTP Headers – HTTP Verb Tampering (Request Method Tampering) – X-Content-Type-Options – X-Frame-Options – Cookie attributes
- Sanitization Failures: Parameter Fuzzing – Invalidated Redirect – Cross-site scripting (XSS) (DOM, Persistent, Reflected, Out-of-band) – Cross-site tracing (XST) – Clients Cross-Domain Policy Files – Cross-Site Request Forgery (CSRF)
- Authorization: Privilege Escalation – Cross-Origin Resource Sharing (CORS)
- Info Leak: Response, Comments, Scripts – Directory Indexing – Email Disclosure – Source Code Disclosure – Secure/non-secure content mix – insecure channel – Browser Cache directive – Forced Browsing – Subdomain discovery – Predictable Resource Locations
- Crypto: Form Session Strength – SSL Strength – Brute Force (HTTP Auth) – Brute Force Form-based Authentication
- Known / Vendor Issues: Apache Struts – ASP.NET Serialization – ASP.NET ViewState check – FrontPage – Heartbleed – Java Grinder – Nginx NULL code – PHP Code Execution
As you can see, MSRD for web scanning covers a huge list of known vulnerabilities. I expect additional features to be added in the not too distant future.
Start with MSRD for Web Scanning
To get up and running as fast as possible, you should have the following:
- Trial access for Microsoft Security Risk Detection, you can sign up here to get one.
- A website with a publicly accessible URL. The website, and all the APIs it uses need to be available to MSRD scanners. Microsoft recommends logging into the website on your phone, making sure it works there, before trying it in the scanner.
- If the site is not publicly accessible, please whitelist both 220.127.116.11 and 18.104.22.168/28 to HTTP traffic in your firewall.
- If your website requires credentials, a user will need to be set up with access to the website. Users with elevated privileges, such as administrators, can usually find the largest portion of your website and are usually the best choice for users.
- Have someone available who knows the sitemap of the website. Sometimes MSRD scanner doesn’t find everything, so it’s better if we find this as soon as possible.
- What should the scanner avoid? MSRD sometimes scan sites that have a “delete all users” functionality, or something similar, and making sure you know these links ahead of time will help you get up and running faster.
- Last but not least, you need engineering support to work with you during the pilot phase, and optionally able to discuss results and remediation steps.
Once you’re ready to start scanning and you have access to security risk detection, Microsoft recommends you follow the process below in sequence:
Configure and run a Crawl Only scan of your website to ensure the scanner is finding all parts of the website you want to be scanned. You will not get results from a crawl-only scan, but it will save you time setting up your scan. Now take the following configuration steps:
- Login to Microsoft Security Risk Detection https://www.microsoftsecurityriskdetection.com, select Web Scanning and then click + New Configuration.
- In the Basic Settings page give a name and description for the site that you want to scan, and then click on the arrow button to continue.
- In the Crawl Configuration page, Add the Root Urls. If you want to exclude certain URLs from the scan, you can add them under the Crawl Scope and select Exclude as shown in the following screenshot:
- In the Authentication Method, add the authentication that you are using for the target site. By default, targets site are assumed to be anonymously accessible. If your site requires authentication, please choose one or more authentication methods and provide the appropriate credentials for each. This step is very important, you must own the target and be able to grant rights to scan. In this example, I am not using any authentication method. Click on the arrow button to continue.
- In the Crawl Seeding page, you may upload one or more Traffic Recordings; the crawler will replay this traffic as part of the scan. Microsoft recommends Fiddler, though they also accept (Burp, Har, Paros, and WebScarab) recordings as well. You may upload one or more Selenium Scripts; the crawler will execute these as part of the scan. Note that the given Selenium scripts must use the Chrome web driver or be valid .NET executable. Last, you may indicate the URL of one or more Swagger Documents; the crawler will include these as entry points to the scan.
- In the Attack Configuration page, choose whether to enable all, none, or some of the Attack Profile modules to run after the scan’s crawl phase completes. It’s very important to select Crawl Only scan in this step to ensure the scanner is finding all parts of the website. In the next step, we will perform the attack!
- In the HTTP Customization page, you can modify the default HTTP Headers values submitted with each HTTP request, or add your own custom headers if you want. Click on the arrow button to continue.
- In the last Advanced Settings page, you can adjust the performance for the scan, by decreasing or increasing the Delay Between Requests, the Connection Timeout, Read Timeout, Max Bandwidth, and Concurrent Threads. You can also enable Proxy which if enabled, the scan engine will ferry crawl and attack traffic through the indicated proxy, and finally click Done.
- When you are ready to scan your site, select the play button to Queue Scan. Give the scan a name and finally click Queue.
- The scan will be queued and then it will be picked up as soon as the next slot is available. Please note that the first scanning job will take many hours to complete.
When the Crawl Only scan is completed, you can move to the attack scan. You will get results from this scan.
You need to Edit Configuration, click on the arrow => button next to the play button, and then click Edit.
Select the Attack Configuration page, and change the Attack Profile from Crawl Only to the desired module. I selected All Modules in this example. When done click Save, and then click Done.
When you are ready to scan your site in attack mode, select the play button to Queue Scan. Give the scan a name and finally click Queue.
Once you’ve run one successful attack scan, you can usually re-run attack scans using that configuration without having to redo the crawl again.
Once you’ve run one successful attack scan, you can view the results by clicking on the Scan Name. In the Web Scan Results, you can see the Site Map, Links, Summary, By Attack Module, By URL, By Severity, and finally you can Export the scan as an offline copy.
In this example, I have a high severity SQL injection vulnerability.
You can click on More Information to see the recommendation and take the remediation steps.
Last but certainly not least, you can see the different attack levels and requests that were performed on the target site.
That’s it there you have it.
As described in this article, Microsoft Security Risk Detection is so powerful security risk detection service powered by Microsoft Azure in the back-end.
Access to the MSRD user portal requires either a Microsoft account (MSA) or an Azure Active Directory (AAD) account. If your company uses AAD, then you should be ready to go. If not, you can use an MSA – please create one here if needed before signing up for a trial.
To get started with Microsoft Security Risk Detection, you can sign up now with a free trial for cross-platform Windows or Linux.
MSRD finds security vulnerabilities and other issues in data parsers and web applications and services. Microsoft recommends you identify the target applications you want to test ahead of time, so you can get started right away once you’re granted a trial.
Until then… Stay secure with Microsoft Security Risk Detection!
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.